I have been a big fan of Meterpreter since it first version, now i would like to review the different cool things and plugins that are around for this feature of Metasploit, that covers the post-exploitation phase. As explained in the first Meterpreter paper:

Meterpreter, short forThe Meta-Interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complexand advanced features that would otherwise be tedious to implement purelyin assembly. The way that it accomplishes this is by allowing developers towrite their own extensions in the form of shared ob ject (DLL) ﬁles that canbe uploaded and injected into a running process on a target computer afterexploitation has occurred. Meterpreter and all of the extensions that it loadsare executed entirely from memory and never touch the disk, thus allowing themto execute under the radar of standard Anti-Virus detection.

First of all, i would like to remark that i use Meterpreter as a standalone binary most of the times. To create a binary for uploading to a server you can use this command:

You can find examples of these modules and the source code in the the Darkoperator website under the meterpreter zone, many of them are included in the Metasploit project.

Meterpreter service wrapper:

You can use Metsvc to run meterpreter as a Windows service, or as a command line application. You have to download from Phreedom.org (Alexander Sotirov)

c:> metsvc.exe install-service (it will launch on port 31337)

Well that's all for now, i will like to thanks Chris Gates and Carlos Perez (DarkOperator) for their work with Meterpreter, a great tool for post exploitation and maybe a feature underestimated by many and unknown by others.

I read an interesting article on how to obtain a shell through Oracle Database, this article was written by Alexandr Polyakov from www.dsecrg.com, they have more interesting things about Oracle penetration testing on their website.

The article explains how to obtain an OS shell, via Pass the hash technique inside Oracle, using only an account with the CONNECT and RESOURCE privileges. The idea is to read a file over the network via SMB (ctxsys.context) and connect to a fake SMB server to steal the NTLM challenge-response.

The author explains the creation of a Metasploit plugin (ora_ntlm_stealer) to automate the process, so you can get it by updating your svn copy.